SHARE
TWEET

Recon

a guest Jan 28th, 2020 2,865 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 1- Not a lot of github sensitive exposures, since i already made full video for that in BC university.
  2.  
  3. 2- I spoke about creating specific wordlist for each target, depending on the patterns i notice in each target
  4. wordlist will be initially with 3-5 files paths for each known technology,then i add to it robots dissallowed for the target company, thats the baseline, i add the subdomains to list (yes it happens with some companies http://whatever.corp.example.com/whatever/) and MOST important part is gathering paths & endpoints from github for the company, path might be for an internal host, but its also there on production ones, you cant just depend on seclists and known wordlists for that.
  5.  
  6. 3- gathering subdomains form github for each target , the 1M list is good but not enough, from github you get to see other subdomains like as ex for kubernetes : k8s-prd k8s depending on the company ..etc
  7.  
  8. you can use this https://github.com/gwen001/github-search for points 2-3.
  9.  
  10. 4- this is nice and updated if you know how to clean the lists and use it with yours https://github.com/milo2012/pathbrute (defaultPaths.txt,cvePaths.txt,packetstormPaths.txt,webappPaths.txt)
  11.  
  12. 5- The new beta shodan is very nice, examples"
  13. it can help gathering subs easily https://beta.shodan.io/domain/paypal.com
  14. easy sorting https://beta.shodan.io/search/facet?query=ssl%3Aoath+port%3A%22443%22&facet=org
  15.  
  16. 6- when i have time to hunt for a month i subscribe for a month with shodan small business plan (299$) which gives you :
  17.  
  18. Features
  19. Up to 20 million results per month *
  20. Scan up to 65,536 IPs per month
  21. Network Monitoring for 65,536 IPs
  22. Access to most filters
  23. Allows paging through results
  24. Basic access to the Streaming API
  25. Commercial Use
  26. E-Mail support
  27. Vulnerability search filter
  28. there API is amazing
  29.  
  30. 7- I Use this to manage my projects, its underrated i highly recommend trying it, its free and amazing https://github.com/intrigueio/intrigue-core
  31.  
  32. 8- I keep monitoring changes on all subs i gathered.
  33.  
  34. 9- I tend to be selective and more focused on what others ignore (302,403,401) and i always find endpoints reachable, and got 3-4 critical bugs based on that when (302,401,401) bypassed, mainly endpoints that gathered from github.
  35.  
  36. 10- Its good to make honeypots with technologies like ruby, weblogic, ..etc , there is a lot of CVE'S but not a lot of public exploits, some people keep their exploits for themselves, and they might use them on your honeypots.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top